Changeset 3897
- Timestamp:
- 15/05/08 09:58:48 (13 years ago)
- Location:
- TI12-security/trunk/python
- Files:
-
- 1 added
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/python/Tests/authtest/authtest/controllers/test2.py
r3892 r3897 11 11 # return render('/some/template.mako') 12 12 # or, Return a response 13 return 'Hello World'13 return render('signin') -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pdp/__init__.py
r3896 r3897 56 56 57 57 def __init__(self, 58 cfgFilePath=None,59 58 cfg=None, 60 59 cfgSection='DEFAULT', … … 62 61 """PDPInterface(cfgFilePath|cfg|**cfgKw) 63 62 64 @type cfg FilePath: string65 @param cfg FilePath: file path to configuration file66 @type cfg: ConfigParser object to retrieve parameters from as an67 alternative to cfgFilePath input63 @type cfg: string / ConfigParser 64 @param cfg: 65 @type cfg: file path to configuration file or ConfigParser object to 66 retrieve parameters from 68 67 @type cfgSection: string 69 68 @param cfgSection: sets the section name to retrieve config params -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pdp/browse.py
r3896 r3897 76 76 molesXMLNS = 'http://ndg.nerc.ac.uk/moles' 77 77 csmlXMLNS = 'http://ndg.nerc.ac.uk/csml' 78 79 roleElemName = 'attrauthRole' 80 aaElemName = 'dgAttributeAuthority' 81 82 molesSimpleConditionPth = \ 83 '%sdgMetadataSecurity/%sdgSecurityCondition/%ssimpleCondition' 84 85 # MOLES B0 query 86 b0SimpleConditionXPth = molesSimpleConditionPth % (('{'+molesXMLNS+'}',)*3) 78 87 79 88 # MOLES B1 is dynamically generated from B0 and has no schema 80 b1dgSecurityConditionXPth = 'dgMetadataSecurity/dgSecurityCondition' 81 82 # Add schemae prefixes for B0 query 83 b0dgSecurityConditionXPth = '{%s}%s'%(molesXMLNS,b1dgSecurityConditionXPth) 84 85 csmlDGSecurityConditionXPth = \ 86 '{%s}AccessControlPolicy/{%s}dgSecurityCondition' % ((csmlXMLNS, )*2) 87 88 molesXPathQueryPfx = \ 89 '{http://ndg.nerc.ac.uk/moles}simpleCondition/{http://ndg.nerc.ac.uk/moles}' 90 roleXPathQuery = molesXPathQueryPfx + 'attrauthRole' 91 roleXPathQuery = molesXPathQueryPfx + 'dgAttributeAuthority' 89 b1SimpleConditionXPth = molesSimpleConditionPth % (('', )*3) 90 91 # CSML Query 92 a0SimpleConditionXPth = \ 93 '{%s}AccessControlPolicy/{%s}dgSecurityCondition/{%s}simpleCondition'%\ 94 ((csmlXMLNS, )*2 + (molesXMLNS,)) 92 95 93 96 defParam = {'aaURI': '', … … 95 98 'tracefile': '', 96 99 'acCACertFilePathList': [], 97 'acIssuer': ''} 100 'acIssuer': '', 101 'wssCfgFilePath': None, 102 'wssCfgSection': 'DEFAULT'} 98 103 99 104 … … 118 123 119 124 self.resrcURI = None 120 self.securityElement = None 121 self.userHandle = None 125 self.resrcDoc = None 126 self.smURI = None 127 self.userSessID = None 122 128 123 129 # Set from config file 124 130 if isinstance(cfg, basestring): 125 self._readConfig(cfg FilePath)131 self._readConfig(cfg) 126 132 else: 127 133 self._cfg = cfg … … 143 149 144 150 145 def _getSecurityElem(self): 146 '''Query the input document for a security constraint element. 147 The query type is dependent on the schema of the document''' 151 def _getSecurityConstraints(self): 152 '''Query the input document for a security role and Attribute Authority 153 URI constraints. The query structure is dependent on the schema of the 154 document 155 156 @rtype: tuple 157 @return: required role and the URI for the Attribute Authority to 158 query. If role is None, no security is set''' 148 159 149 160 if self.resrcURI.schema == 'DIF': 150 161 log.info('BrowsePDP: DIF record found - no security applied') 151 return None # no access control162 return None, None # no access control 152 163 153 164 elif self.resrcURI.schema == 'NDG-B0': 154 165 log.info(\ 155 166 'BrowsePDP: Checking for constraints for MOLES B0 document ...') 156 return self.resrcDoc.tree.find(BrowsePDP.b1dgSecurityConditionXPth) 167 168 roleXPth = '%s/{%s}%s' % (BrowsePDP.b0SimpleConditionXPth, 169 BrowsePDP.molesXMLNS, 170 BrowsePDP.roleElemName) 171 172 aaXPth = '%s/{%s}%s' % (BrowsePDP.b0SimpleConditionXPth, 173 BrowsePDP.molesXMLNS, 174 BrowsePDP.aaElemName) 157 175 158 176 elif self.resrcURI.schema == 'NDG-B1': … … 160 178 log.info(\ 161 179 'BrowsePDP: Checking for constraints for MOLES B1 document ...') 162 return self.resrcDoc.tree.find(BrowsePDP.b1dgSecurityConditionXPth) 163 180 181 roleXPth = '%s/%s' % (BrowsePDP.b1SimpleConditionXPth, 182 BrowsePDP.roleElemName) 183 184 aaXPth = '%s/%s' % (BrowsePDP.b1SimpleConditionXPth, 185 BrowsePDP.aaElemName) 186 164 187 elif self.resrcURI.schema == 'NDG-A0': 165 188 log.info(\ 166 'BrowsePDP: Checking for constraints for CSML document ...') 167 return \ 168 self.resrcDoc.tree.find(BrowsePDP.csmlDGSecurityConditionXPth) 189 'BrowsePDP: Checking for constraints for CSML document ...') 190 191 roleXPth = '%s/{%s}%s' % (BrowsePDP.a0SimpleConditionXPth, 192 BrowsePDP.molesXMLNS, 193 BrowsePDP.roleElemName) 194 195 aaXPth = '%s/{%s}%s' % (BrowsePDP.a0SimpleConditionXPth, 196 BrowsePDP.molesXMLNS, 197 BrowsePDP.aaElemName) 169 198 else: 170 log.error('BrowsePDP ._getSecurityElem: unknown schema type "%s"'%\199 log.error('BrowsePDP: unknown schema type "%s"' % \ 171 200 self.resrcURI.schema) 172 201 raise PDPUnknownResourceType() 173 202 203 # Execute queries for role and Attribute Authority elements and extract 204 # the text. Default to None if not found 205 roleElem = self.resrcDoc.tree.find(roleXPth) 206 if roleElem is not None: 207 role = roleElem.text 208 else: 209 role = None 210 211 aaURIElem = self.resrcDoc.tree.find(aaXPth) 212 if aaURIElem is not None: 213 aaURI = aaURIElem.text 214 else: 215 aaURI = None 216 217 return role, aaURI 218 174 219 175 def _readConfig(self ):220 def _readConfig(self, cfgFilePath): 176 221 '''Read PDP configuration file''' 177 self._cfg.read( self.cfgFilePath)222 self._cfg.read(cfgFilePath) 178 223 179 224 180 225 def _parseConfig(self, section='DEFAULT'): 181 226 '''Extract parameters from _cfg config object''' 227 log.debug("BrowsePDP._parseConfig ...") 228 182 229 # Copy directly into attribute of this object 183 230 for paramName, paramVal in BrowsePDP.defParam.items(): 231 if not self._cfg.has_option(section, paramName): 232 # Set default if parameter is missing 233 log.debug("Setting default %s = %s" % (paramName, paramVal)) 234 setattr(self, paramName, paramVal) 235 continue 236 184 237 if isinstance(paramVal, list): 185 238 listVal = expVars(self._cfg.get(section, paramName)).split() … … 217 270 <moles:effect>allow</moles:effect> 218 271 <moles:simpleCondition> 219 <moles:dgAttributeAuthority>http s://glue.badc.rl.ac.uk/AttributeAuthority</moles:dgAttributeAuthority>272 <moles:dgAttributeAuthority>http://dev.badc.rl.ac.uk/AttributeAuthority</moles:dgAttributeAuthority> 220 273 <moles:attrauthRole>coapec</moles:attrauthRole> 221 274 </moles:simpleCondition> … … 226 279 tokens. Resets equivalent object attribute.""" 227 280 228 log.debug("BrowsePDP.accessPermitted ...") 229 281 log.debug("Calling BrowsePDP.accessPermitted ...") 282 283 if accessType is not None: 284 log.warning("BrowsePDP an accessType = [%s] " % accessType + \ 285 "was set Browse assumes all access type is based " + \ 286 "on the role attribute associated with the data") 287 230 288 # Resource handle contains URI and ElementTree resource security 231 289 # element … … 238 296 239 297 # First query the document for a security constraint 240 self.securityElement = self._getSecurityElem()241 if not self.securityElement:298 role, aaURI = self._getSecurityConstraints() 299 if not role: 242 300 # No security set 243 log.info("BrowsePDP: no security constraints found for [%s]" %\301 log.info("BrowsePDP: no security role constraint found for [%s]" %\ 244 302 self.resrcURI.schema + \ 245 " type document [%s]" % self.resrcURI) 303 " type document [%s]: GRANTING ANONYMOUS ACCESS" % \ 304 self.resrcURI) 246 305 return 247 248 249 # User handle contains 'h' = Session Manager URI and 'sid' user 250 # Session ID 306 307 # Check that the user is logged in. - The User handle contains 308 # 'h' = Session Manager URI and 'sid' user Session ID 251 309 try: 252 310 self.smURI = userHandle['h'] … … 255 313 log.error("User handle missing key %s" % e) 256 314 raise PDPUserNotLoggedIn() 257 258 259 roleElem = self.securityElement.find(BrowsePDP.roleXPathQuery) 260 if roleElem is None or not roleElem.text: 261 log.error("PDP: role not set in MOLES security " + \ 262 "constraints") 263 raise PDPMissingResourceConstraints() 264 265 self.reqRole = roleElem.text 266 267 aaElem = self.securityElement.find(BrowsePDP.aaXPathQuery) 268 269 # Sanity check on Attribute Authority URI 270 if aaElem and aaElem.text: 271 aaURI = aaElem.text 272 315 316 # Sanity check on Attribute Authority URI retrieved from the data 317 if aaURI: 273 318 # Check Attribute Authority address 274 319 try: 275 320 BrowsePDP.urlCanBeOpened(aaURI) 321 276 322 except URLCannotBeOpened, e: 277 # Catch situation where either Attribute Authority address in the 278 # data invalid or none was set. In this situation verify 279 # against the Attribute Authority set in the config 280 281 log.warning('PDP: MOLES security constraint ' + \ 323 # Catch situation where either Attribute Authority address in 324 # the data invalid or none was set. In this situation verify 325 # against the Attribute Authority set in the config 326 log.warning('BrowsePDP: security constraint ' + \ 282 327 'Attribute Authority address is invalid - ' + \ 283 328 'defaulting to config file setting: %s; ' % \ … … 286 331 aaURI = self.aaURI 287 332 else: 288 log.warning(" PDP: Attribute Authority element not " + \333 log.warning("BrowsePDP: Attribute Authority element not " + \ 289 334 "set in MOLES security constraints - defaulting " + \ 290 335 "to config file setting: %s" % self.aaURI) … … 293 338 # Retrieve Attirbute Certificate from user's session held by 294 339 # Session Manager 295 attCert = self._pullUserSessionAttCert(aaURI )340 attCert = self._pullUserSessionAttCert(aaURI, role) 296 341 297 342 # Check its validity 298 343 self._checkAttCert(attCert) 299 344 300 log.info(' PDP - access grantedfor user "%s" ' % \345 log.info('BrowsePDP: ACCESS GRANTED for user "%s" ' % \ 301 346 attCert.userId + \ 302 347 'to "%s" secured with role "%s" ' % \ 303 (self.resrcURI, self.reqRole) + \348 (self.resrcURI, role) + \ 304 349 'using attribute certificate:\n\n%s' % attCert) 305 350 306 351 307 def _pullUserSessionAttCert(self, aaURI ):352 def _pullUserSessionAttCert(self, aaURI, role): 308 353 """Check to see if the Session Manager can deliver an Attribute 309 354 Certificate with the required role to gain access to the resource … … 312 357 @type aaURI: string 313 358 @param aaURI: address of Attribute Authority that the Session Manager 314 will call in order to request an AC on behalf of the user""" 359 will call in order to request an AC on behalf of the user 360 361 @type role: string 362 @param role: role controlling access to the secured resource""" 315 363 316 364 try: 317 # Create Session Manager client 365 # Create Session Manager client - if a file path was set, setting 366 # are read from a separate config file section otherwise, from the 367 # PDP config object 318 368 self.smClnt = SessionMgrClient(uri=self.smURI, 319 cfgFilePath=self.cfgFilePath, 320 cfgFileSection='WS-Security', 321 sslCACertFilePathList=self.sslCACertFilePathList, 322 tracefile=self.tracefile, 323 **self.wssCfg) 369 cfg=self.wssCfgFilePath or self._cfg, 370 cfgFileSection=self.wssCfgSection, 371 **self.wssCfg) 324 372 except Exception, e: 325 log.error(" PDP: creating Session Manager client: %s"%e)373 log.error("BrowsePDP: creating Session Manager client: %s" % e) 326 374 raise InitSessionCtxError() 327 375 … … 331 379 attCert = self.smClnt.getAttCert(attAuthorityURI=aaURI, 332 380 sessID=self.userSessID, 333 reqRole= self.reqRole)381 reqRole=role) 334 382 return attCert 335 383 -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pdp/proftp.py
r3790 r3897 76 76 'acIssuer': ''} 77 77 78 def __init__(self, cfg FilePath=None, **cfgKw):78 def __init__(self, cfg=None, **cfgKw): 79 79 """Initialise settings for WS-Security and SSL for SOAP 80 80 call to Session Manager … … 87 87 """ 88 88 89 self.cfgFilePath = cfg FilePath89 self.cfgFilePath = cfg 90 90 self.resrcURI = None 91 91 self.securityElement = None -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pep.py
r3896 r3897 76 76 if isinstance(cfg, basestring): 77 77 log.debug('Setting PEP config from file: "%s" ...' % cfg) 78 self.readConfig(cfg FilePath)78 self.readConfig(cfg) 79 79 else: 80 80 log.debug('Setting PEP config from existing config object ...') -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/wsSecurity.py
r3892 r3897 162 162 163 163 #_________________________________________________________________________ 164 def __init__(self, cfg FilePath=None, cfgFileSection='DEFAULT',164 def __init__(self, cfg=None, cfgFileSection='DEFAULT', 165 165 cfgClass=WSSecurityConfig, **kw): 166 166 ''' … … 249 249 raise TypeError("%s is not a sub-class of WSSecurityConfig" % \ 250 250 cfgClass) 251 self.cfg = cfgClass()252 251 253 252 # Read parameters from config file if set 254 if cfgFilePath: 253 if isinstance(cfg, basestring): 254 log.debug("SignatureHandler.__init__: config file path input ...") 255 self.cfg = cfgClass() 256 self.cfg.read(cfg) 257 else: 258 log.debug("SignatureHandler.__init__: config object input ...") 259 self.cfg = cfgClass(cfg=cfg) 260 261 if cfg: # config object or config file path was set 255 262 log.debug("SignatureHandler.__init__: Processing config file...") 256 self.cfg.read(cfgFilePath)257 263 self.cfg.parse(section=cfgFileSection) 258 264 259 265 # Also update config from keywords set 260 266 log.debug("SignatureHandler.__init__: setting config from keywords...") -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py
r3892 r3897 104 104 except Exception, e: 105 105 c.xml = "Error logging in. Please check your username/" + \ 106 "pass-phrase and try again." 106 "pass-phrase and try again. If the problem persists " + \ 107 "please contact your site administrator." 107 108 log.error("Session Manager connect returned: %s" % e) 108 109 response.status_code = 401 -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/wsSecurity/server/echoServer.py
r3755 r3897 99 99 # Create the Inherited version of the server 100 100 echo = EchoService() 101 echo.signatureHandler = wsSecurity.SignatureHandler(\ 102 cfgFilePath=wsseCfgFilePath) 101 echo.signatureHandler = wsSecurity.SignatureHandler(cfg=wsseCfgFilePath) 103 102 104 103 serviceContainer.setNode(echo, url=path)
Note: See TracChangeset
for help on using the changeset viewer.